TECH

Mythos AI triggers record number of patches and divides experts

Mythos AI, Anthropic's latest model, has identified, according to the company itself, thousands of unknown vulnerabilities in just seven weeks. The tool triggered a record volume of security patches and pressured governments and central banks to coordinate emergency responses. Launched in April 2026 to a select group of organizations, it exposes a growing tension between the speed of automated detection and the human capacity for response.

Microsoft was one of the first to feel the impact. The April edition of Patch Tuesday included fixes for 167 security flaws, a number that Adam Barnett, senior software engineer at Rapid7, described as "a new record." Barnett himself acknowledged that it was tempting to link this volume to the announcement of Project Glasswing the previous week, although without establishing a direct causal relationship.

Mozilla followed suit. Firefox 150 integrated fixes for 271 vulnerabilities detected with the support of Mythos AI, although only three were formally credited to the tool in Mozilla's official security note, according to The Register. Anthropic claims, in its official System Card, that the flaws found cover all major operating systems and browsers, some decades old.

Project Glasswing: controlled access, increasing pressure...The program was launched with eleven named partners, including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks, joined by more than 40 additional organizations responsible for critical software infrastructures. The more time partners have to fix flaws before the model is made widely available, the lower the risk of malicious exploitation.

Anthropic confirmed plans to extend access to European and UK banks. The European Central Bank is preparing to warn banks under its supervision about the risks of Mythos AI, according to Reuters, cited by the Business Standard. Unlike in the US, this consultation is taking place through the usual channels of dialogue with banking staff, without any extraordinary meetings with top management scheduled for now.

Banks and governments mobilized...In the US, Treasury Secretary Scott Bessent and Federal Reserve Chairman Jerome Powell met with banking executives on April 8th to encourage them to test their own systems with Mythos AI. Goldman Sachs, Citigroup, Bank of America, and Morgan Stanley responded to the call and began internal testing, according to Bloomberg, cited by TechCrunch. Jamie Dimon, CEO of JPMorgan Chase, warned that Mythos AI exposes more vulnerabilities to potential cyberattacks, according to CNBC.

The mobilization went beyond the US. Indian Finance Minister Nirmala Sitharaman chaired a high-level meeting with bank directors, the Reserve Bank of India, the Ministry of Electronics and Information Technology, the NPCI, and CERT-In to assess the risks associated with Mythos AI, according to the Economic Times. Sitharaman urged banks to take preventative measures to protect their systems and customer data, tasking the Banking Association of India with coordinating the institutional response.

Christian Sewing, CEO of Deutsche Bank, told Bloomberg that the German banking sector does not see Mythos AI as an existential threat, although he acknowledges that its cybersecurity capabilities warrant heightened vigilance.

The dual-use dilemma...Palo Alto Networks warned that capabilities similar to Mythos AI will eventually be available outside the controlled perimeter of American companies with built-in safeguards. The risk pointed out by the company is accurate. Threat actors with access to equivalent tools could create “unprecedented autonomous attack agents in the industry,” a category of risk for which current defenses are unprepared.

Anthropic's cybersecurity assessment documents the offensive capabilities of the model and the rationale behind restricted access. Artificial intelligence is finding vulnerabilities at a faster rate than teams can fix them, and defenders are facing a race for which they are not yet equipped.

Anthropic has committed up to $100 million in usage credits to partners and $4 million in donations to open-source security organizations, including Alpha-Omega, the Open Source Security Foundation, and the Apache Software Foundation, according to the official Project Glasswing page. The company guarantees that the model will not be widely available until new safeguards are operational

The release of the Mythos model (or Claude Mythos Preview) by Anthropic in April 2026 triggered a record volume of security fixes by automating the discovery of critical flaws. The model was able to identify thousands of zero-day (unknown) vulnerabilities in just seven weeks of testing, equivalent to about 30% of the world's annual production of such discoveries before the use of AI.

The Impact of Mythos on Cybersecurity...Mythos's differentiating factor is not only the volume of flaws found, but its autonomy and speed. It can perform complex analyses, chain multiple vulnerabilities, and generate functional exploits in minutes or hours, tasks that would take weeks for experienced human researchers.

Emblematic discoveries: Mythos identified a 27-year-old flaw in OpenBSD and a 16-year-old vulnerability in the FFmpeg video software, both ignored by decades of human audits and traditional automated tools.

Patch Wave: Anthropic formed the Project Glasswing consortium — including Microsoft, Google, Apple, and the Linux Foundation — to provide early access to the model. The goal is to allow these partners to patch their systems before the model (or similar capabilities) falls into malicious hands.

Patch Bottleneck: Experts warn that the speed of AI discovery has surpassed human patching capacity. This has created a "congestion" of updates, forcing companies to prioritize exploitable flaws instead of trying to patch the entire reported volume.

Why wasn't the model released to the public? Due to its high potential for offensive use (dual-use), Anthropic decided to keep Mythos as an internal research model, with no plans for general release. The company cited its Responsible Escalation Policy (RSP), indicating that the model has reached capability levels (ASL-3) that require extreme safeguards against the development of biological weapons and large-scale cyberattacks.

Recommendations for users and businesses...With the acceleration of discoveries, the traditional model of "waiting for a vulnerability to fix" has become insufficient.

Automatic updates: Enable automatic updates on all devices, especially browsers and operating systems.

Digital hygiene: Use password managers and two-factor authentication (MFA) to mitigate the impact if an account is compromised by a system failure.

Data security: Companies should focus on protecting the data itself (data-centric security) and behavioral monitoring, assuming that breaches in the external perimeter will become increasingly common.

mundophone